DATA PRIVACY FAQS

Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to
protect all forms of information, be it private, personal, or sensitive. It is meant to cover both
natural and juridical persons involved in the processing of personal information.
WHAT IS THE SCOPE OF THE DATA PRIVACY ACT?
As mentioned earlier, the Data Privacy Act applies to any natural or juridical persons
involved in the processing of personal information. It also covers those who, although not
found or established in the Philippines, use equipment located in the Philippines, or those
who maintain an office, branch, or agency in the Philippines.

WHAT IS PROCESSING OF PERSONAL INFORMATION?

Under Sec. 3(j) of the Data Privacy Act, “[p]rocessing refers to any operation or any set of
operations performed upon personal information including, but not limited to, the collection,
recording, organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.”
In other words, processing of personal information is any operation where personal
information is involved. Whenever your information is, among other things, collected,
modified, or used for some purpose, processing already takes place.

WHAT IS PERSONAL INFORMATION?

Under Sec. 3(g) of the Data Privacy Act, “[p]ersonal information refers to any information
whether recorded in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify
an individual.”

In other words, personal information is any information which can be linked to your identity,
thus making you readily identifiable.

WHAT IS PRIVILEGED INFORMATION?

Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all forms
of data which under the Rules of Court and other pertinent laws constitute privileged
communication.” One such example would be any information given by a client to his
lawyer. Such information would fall under attorney-client privilege and would, therefore, be
considered privileged information.
DOES THE DIFFERENCE BETWEEN PERSONAL INFORMATION AND SENSITIVE
PERSONAL INFORMATION MATTER?
Yes. The law treats both kinds of personal information differently. Personal information may
be processed, provided that the requirements of the Data Privacy Act are complied with. On
the other hand, the processing of sensitive personal information is, in general, prohibited.
The Data Privacy Act provides the specific cases where processing of sensitive personal
information is allowed.

IS THERE A DIFFERENCE BETWEEN PERSONAL INFORMATION AND SENSITIVE

PERSONAL INFORMATION?

Yes. While personal information refers to information that makes you readily identifiable,
sensitive personal information, as defined in Sec. 3(l) of the Data Privacy Act, refers to
personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited
to, social security numbers, previous or cm-rent health records, licenses or its denials,
suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.
Therefore, any information that can be categorized under any of the enumerated items are
considered sensitive personal information.

ARE THERE ANY EXCEPTIONS TO THE APPLICATION OF THE DATA PRIVACY ACT?

The Data Privacy Act explicitly states that its provisions are not applicable in the following
cases:
(a) Information about any individual who is or was an officer or employee of a government
institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual;
and
(4) The name of the individual on a document prepared by the individual in the course of
employment with the government;
(b) Information about an individual who is or was performing service under contract for a
government institution that relates to the services performed, including the terms of the
contract, and the name of the individual given in the course of the performance of those
services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting
of a license or permit given by the government to an individual, including the name of the
individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which
includes the processing of personal data for the performance by the independent, central
monetary authority and law enforcement and regulatory agencies of their constitutionally
and statutorily mandated functions. Nothing in this Act shall be construed as to have
amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank
Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit
Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act
(CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of
the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with
Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the
Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any applicable data privacy
laws, which is being processed in the Philippines.

ARE COMPANIED REQUIRED TO APPOINT SOMEONE WHO SHOULD BE

RESPONSIBLE FOR ENSURING COMPLIANCE WITH THE DATA PRIVACY ACT?
Yes. Under the Implementing Rules and Regulations of the Data Privacy Act, all
organizations are required to appoint a Data Protection Officer (“DPO”). The Data
Protection Officer shall be accountable for ensuring compliance with the appropriate data
protection laws and regulations.

CAN THERE BE MORE THAN ONE PERSON WHO SHALL PERFORM THE FUNCTIONS OF A DATA
PROTECTION OFFICER IN A ORGANIZATION?

Yes. The Implementing Rules and Regulations of the Data Privacy Act speaks of an individual or
individuals who shall perform the functions of a Data Protection Officer or a Compliance Officer.

WHAT ARE THE CASES WHERE THE PROCESSING OF SENSITIVE PERSONAL INFORMATION AND
PRIVILEGED INFORMATION IS ALLOWED?
Section 13 of the Data Privacy Act enumerates the cases where sensitive personal information and
privileged information may be processed. These are the following:

(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in
the case of privileged information, all parties to the exchange have given their consent prior to
processing;

(b) The processing of the same is provided for by existing laws and regulations: Provided, That such
regulatory enactments guarantee the protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects are not required by law or
regulation permitting the processing of the sensitive personal information or the privileged information;

(c) The processing is necessary to protect the life and health of the data subject or another person, and
the data subject is not legally or physically able to express his or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial objectives of public
organizations and their associations: Provided, That such processing is only confined and related to the
bona fide members of these organizations or their associations: Provided, further, That the sensitive
personal information are not transferred to third parties: Provided, finally, That consent of the data
subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried out by a medical
practitioner or a medical treatment institution, and an adequate level of protection of personal
information is ensured; or

(f) The processing concerns such personal information as is necessary for the protection of lawful rights
and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense
of legal claims, or when provided to government or public authority.